CVE-2026-25113 identifies a security weakness in the WebSocket API of the SWITCH EV platform (swtchenergy.com), which lacks any form of rate limiting on authentication attempts. This vulnerability falls under CWE-307, indicating improper restriction of excessive authentication attempts. The absence of rate limiting means an attacker can flood the authentication interface with numerous requests, potentially causing denial-of-service conditions by overwhelming the system or misrouting legitimate telemetry data from electric vehicle chargers. Additionally, this flaw allows brute-force attacks against authentication mechanisms, increasing the risk of unauthorized access. The vulnerability affects all versions of the product and requires no privileges or user interaction to exploit, making it remotely exploitable over the network. The CVSS 3.1 score of 7.5 reflects a high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no known exploits have been reported in the wild, the potential impact on availability and operational continuity of EV charging infrastructure is significant. The lack of patches or vendor-provided mitigations at the time of publication necessitates immediate defensive measures by users of the platform.

The primary impact of this vulnerability is on the availability of the SWITCH EV charging platform services. Attackers can launch denial-of-service attacks by flooding the WebSocket authentication interface, disrupting legitimate telemetry data flow from EV chargers. This can lead to operational outages, loss of monitoring and control capabilities, and degraded user experience for EV owners relying on these chargers. Additionally, the possibility of brute-force attacks raises concerns about unauthorized access, which could lead to further compromise or manipulation of charging infrastructure. For organizations managing large EV fleets or public charging networks, such disruptions can cause significant operational and reputational damage. The vulnerability does not directly impact confidentiality or data integrity but the availability impact alone can have cascading effects on energy management and EV user trust. Given the increasing reliance on EV infrastructure globally, this vulnerability poses a critical risk to service continuity and infrastructure reliability.

To mitigate this vulnerability, organizations should implement strict rate limiting on all WebSocket authentication requests to prevent excessive attempts from any single source. Deploying Web Application Firewalls (WAFs) or API gateways capable of detecting and throttling abnormal authentication traffic patterns can help reduce attack surface. Monitoring and alerting on unusual authentication request volumes or failed login attempts is critical for early detection. Employing multi-factor authentication (MFA) where possible can reduce the risk of brute-force attacks succeeding. Network segmentation and restricting access to the WebSocket API to trusted IP ranges can further limit exposure. Since no official patches are available, organizations should engage with SWITCH EV for updates and consider temporary compensating controls such as disabling WebSocket access if feasible. Regular security assessments and penetration testing focused on authentication mechanisms will help identify residual risks. Finally, maintaining incident response readiness to quickly address potential DoS or unauthorized access attempts is essential.